Adolfo Delorenzo
28de656b97
Some checks failed
ARM64 Build / Build generic ARM64 disk image (push) Failing after 4s
CI / Go Tests (push) Successful in 1m28s
CI / Shellcheck (push) Successful in 45s
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Successful in 1m17s
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Successful in 1m13s
Phase 7 of v0.3. The update agent can now pull update artifacts from any
OCI-compliant registry (ghcr.io, quay.io, harbor, zot, etc.) alongside the
existing HTTP latest.json protocol. Multi-arch artifacts are resolved
through manifest indexes so the same tag (e.g. "stable") yields the
right kernel + initramfs for runtime.GOARCH.
New package update/pkg/oci (~280 LOC, 9 tests):
- Client wraps oras-go/v2's remote.Repository. NewClient parses
host/path references; WithPlainHTTP toggle for httptest.
- FetchMetadata resolves a tag and returns image.UpdateMetadata from
manifest annotations (io.kubesolo.os.{version,channel,architecture,
min_compatible_version,release_notes,release_date}). No blobs fetched.
- Pull resolves the tag, walks index → arch-specific manifest, downloads
kernel + initramfs layers identified by their custom media types
(application/vnd.kubesolo.os.kernel.v1+octet-stream and
application/vnd.kubesolo.os.initramfs.v1+gzip), verifies their digests
against the manifest, returns the same image.StagedImage shape the
HTTP client produces.
- Cross-arch single-arch manifests are refused via the AnnotArch check
(defense in depth on top of the gates in cmd/apply.go).
- Tests use a hand-rolled httptest registry implementing /v2/probe,
manifest fetch by tag-or-digest, blob fetch by digest. Cover index
arch-selection, single-arch manifests, missing-arch error, tampered
blob rejection (digest mismatch), and reference parsing.
Dependencies added: oras.land/oras-go/v2 v2.6.0 plus its transitive
opencontainers/{go-digest,image-spec} and golang.org/x/sync. All small
and well-maintained; total binary size impact is negligible relative to
the existing 6.1 MB update agent.
cmd/apply.go:
- New --registry and --tag flags; mutually exclusive with --server.
- applyMetadataGates extracted as a helper, called from both transports
so channel/arch/min-version policy is enforced identically regardless
of how metadata was fetched.
- State transitions identical to the HTTP path: Checking → Downloading
→ Staged, with RecordError on any failure.
cmd/opts.go: --registry, --tag CLI flags. update.conf "server=" already
accepts either an HTTP URL or an OCI ref; the agent distinguishes by
which CLI/conf field carries the value.
build/scripts/push-oci-artifact.sh: new tool that publishes a single-arch
update artifact via the oras CLI with our custom media types and
annotations. After running for each arch, the operator composes the
multi-arch index with `oras manifest index create`. Documented inline.
build/Dockerfile.builder: installs oras 1.2.3 from upstream releases so
the Gitea Actions build container can run the new script.
Signature verification on the OCI path is intentionally deferred — the
artifact format is digest-verified end-to-end via oras-go, and Ed25519
signature consumption via OCI referrers is a follow-up. Plain HTTP
clients keep their existing signature path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74 lines
1.7 KiB
Ruby
74 lines
1.7 KiB
Ruby
FROM --platform=linux/amd64 ubuntu:24.04
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
# Install build tools + kernel build dependencies
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
bash \
|
|
bc \
|
|
bison \
|
|
build-essential \
|
|
ca-certificates \
|
|
cpio \
|
|
curl \
|
|
dosfstools \
|
|
dwarves \
|
|
e2fsprogs \
|
|
fdisk \
|
|
file \
|
|
flex \
|
|
genisoimage \
|
|
grub-common \
|
|
grub-efi-amd64-bin \
|
|
grub-efi-arm64-bin \
|
|
grub-pc-bin \
|
|
grub2-common \
|
|
gzip \
|
|
isolinux \
|
|
iptables \
|
|
kmod \
|
|
libarchive-tools \
|
|
libelf-dev \
|
|
libssl-dev \
|
|
make \
|
|
parted \
|
|
squashfs-tools \
|
|
syslinux \
|
|
syslinux-common \
|
|
syslinux-utils \
|
|
apparmor \
|
|
apparmor-utils \
|
|
gcc-aarch64-linux-gnu \
|
|
binutils-aarch64-linux-gnu \
|
|
busybox-static \
|
|
git \
|
|
kpartx \
|
|
unzip \
|
|
wget \
|
|
xorriso \
|
|
xz-utils \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install Go (for building cloud-init and update agent)
|
|
ARG GO_VERSION=1.25.5
|
|
RUN curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
|
|
| tar -C /usr/local -xzf -
|
|
ENV PATH="/usr/local/go/bin:${PATH}"
|
|
|
|
# Install oras (OCI artifact CLI) for push-oci-artifact.sh.
|
|
# Bump ORAS_VERSION when pushing breaks or when oras gains useful flags.
|
|
ARG ORAS_VERSION=1.2.3
|
|
RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
|
|
| tar -C /usr/local/bin -xzf - oras \
|
|
&& chmod +x /usr/local/bin/oras
|
|
|
|
WORKDIR /build
|
|
COPY . /build
|
|
|
|
RUN chmod +x build/scripts/*.sh build/config/*.sh \
|
|
&& chmod +x hack/*.sh 2>/dev/null || true \
|
|
&& chmod +x test/qemu/*.sh test/integration/*.sh test/kernel/*.sh 2>/dev/null || true
|
|
|
|
ENTRYPOINT ["/usr/bin/make"]
|
|
CMD ["iso"]
|